Social networking sites have little to no identity verification
31 March, 2008
category: Library
But this must change
By Zack Martin, Editor
When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.
It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.
The stories range from the tame to the tragic.
A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.
At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.
In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.
There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.
The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.
But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.
There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.
eHarmony and others offer optional identity services
Pasadena, Calif.-based eHarmony.com is offering identity verification technology to its members, says a spokesperson for the company. The dating web site is using technology from Dallas-based RelyID.
“Many users are new to the whole world of online dating and sometimes need a little more encouragement to get off the fence to reach out to their matches,” says the eHarmony spokesperson. “We saw RelyID as another way to help people take that first step.”
The service is voluntary to eHarmony members and they must pay an additional $5.95 fee to participate. For those members who want to be authenticated, they provide their full legal name, address and date of birth. RelyID’s technology then checks public and financial records databases and comes back with a multiple choice quiz based on an
individual’s personal data, such as names of relatives and latest financial transaction, says Pat Mangacotti, vice president of business development at the company.
If an individual answers the question correctly, the ID will be verified and they receive an authentication badge on their profile. If they don’t answer the questions correctly they can come back and take the quiz again within 72 hours, Mangacotti says. If they can’t be verified after taking the quiz a second time they can then present government-issued identification to RelyID’s customer support team.
Reaction to the service has been positive, says the eHarmony spokesperson. But the company would not say how many members have chosen to use the RelyID service. “In a few cases, where certain customers may have been new to online dating, they have told us that seeing a user’s RelyID badge got them off the fence and let them confidently reach out to a particular eHarmony member,” the spokesperson says.
Mobile social networking service Funky Sexy Cool is offering identity verification to all its members at no additional cost, says Tim O’Connor, CEO of the New York-based company. But members have to choose to go through the process. Funky Sexy Cool enables members to find other like-minded individuals in the same geographic area to hang out with. For example, a member can send out a message to his friends saying he’ll be at a certain club or bar.
When first registering for Funky Sexy Cool potential members can click a box that will enable them to be verified, O’Connor says. If they choose to go through the process they will be asked for information, such as full name, last four digits of the Social Security number and date of birth. Funky Sexy Cool is using ID verification technology from IDology Inc., Atlanta.
IDology searches public databases to confirm an identity, says a company spokesperson. The company’s technology searches driver license records, property records and similar databases.
To sign up for Funky Sexy Cool a user must already claim to be 18 years old, O’Connor says. The site doesn’t require age or ID verification because they don’t want too many steps to register for the site. “If you make too many things mandatory people between the ages of 18 and 34 won’t join,” he says.
O’Connor says there is a need for some sort of age or identity verification, but the companies that run these sites walk a fine line. “I want to be part of a group that enforces age verification,” he says. “But if you have registration that is cumbersome and difficult you won’t get the members. We’re trying to gauge member reaction and see what happens.”
Cost is another problem, O’Connor says. IDology charges about 37 cents per ID verification, which doesn’t seem like much at first. But when dealing with hundreds of thousands to a million of members the cost rises quickly. “We need to increase ad revenue so we can defer some of that cost,” he says.
Minor difficulty
But the problem of identifying minors remains. The technologies that some sites use to prove an identity use public records and databases and minors don’t have any information in those systems. “There isn’t a technology that exists today that can confirm a minor’s identity online,” says a MySpace spokesperson. IDology and RelyID say they wouldn’t be able to identify minors with their technology.
It would also be difficult to just confirm age without needing additional information, says Ant Allan, research vice president at Gartner Inc., Stamford, Conn. This would raise privacy concerns, especially when dealing with minors. “The younger you are the less information appears in the databases,” he says. “And when you’re on the borderline, their identity proofing systems won’t come back with anything. Also, someone could be 18 to 21 years old, and they may not have amassed enough information to return a positive result.”
Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.
But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.
Eventually there would be a fourth tier as well. A minor would physically go to a trusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.
Already authenticated?
But what about those individuals who want to remain anonymous online? They’re not pedophiles or out to harm anyone, but they just don’t want their true identity revealed.
“There are some social networking sites where people want to be associated with the real world identity and others where they don’t,” Allan says. “If the folks running MySpace and Facebook insist on some level of identity proofing, it might discourage people from joining.
“The needs here vary and I don’t think it’s clear cut that social networking sites have to have the same level of authentication and identity proofing as financial services sites.”
For social sites there doesn’t have to be a strong link to the real-world identity, Allan says. “If you’re trying to prevent something obscene from being posted there is recourse through the usual channels like finding their IP address,” he says. “For the majority of reasonably well-behaved people it’s not so important.”
For sites where reputation might hold a bit more importance, such as LinkedIn, there is a type of hierarchical identity proofing that exists on the sites, Allan says. “The network is part of the identity verification,” he says. “Once you get a certain number of people it establishes you and is a way of acknowledging your identity. Depending on the rigor people are looking for that network might be enough to confirm a person’s identity, but other times you might need something else that can be verified.”